Process Control Network Security

More documents

Recommendations

Info

• Inadequate logical access restriction – A PCN specific riskLimiting the logical access to PCNs is comparable to limiting access to office IT.Care has to be taken that only those people who need access to IT systems froma business point of view are able to access IT systems. This is the same for bothoffice IT and PCNs. However, terminals within an industrial environment mayneed to be accessed during production processes. As such, these systems differfrom office IT and may need access in emergency situations (are more availabilityconstrained). This is why we think we should discuss this subject in more detail inSection 7.3.3.• Inadequate physical access restriction – A PCN specific riskPCNs are often implemented over a vast physical area. In this way PCNs differfrom office IT. Within standard security frameworks we have not found measureswhich properly address physical access restriction over a vast physical area. Assuch, we think we should describe in what way adequate physical accessrestriction may be accomplished for PCNs. This will be discussed in Section 7.3.4.• Shared resources – A general IT riskAs described in Section 5.3.5.7, there is not a lot more to addressing this riskthan to assign high priority services over low priority services and makingadditional investments, where needed, to prevent low priority services frominadvertently influencing high priority services. As such, an IT auditor should beable to figure out how to handle this risk. Such risks are related to the prioritizingof specific processes for individual companies. By interviewing companymanagement and gathering which processes are primary and which aresecondary, it should be possible to assign resources to these processesaccordingly. Moreover, we consider the situations in which shared resources needto be prioritized to be very situation-dependent. This is why we consider it hard todefine a general approach towards solving this problem for all PCNs. ISO 27001A14.1 also discusses that company critical processes should be protected fromdisruptions in information systems.• Lack of adequate monitoring – A general IT riskImplementing monitoring (facilities) for PCNs at first glance might be consideredto be a PCN specific risk, because PCNs operate in a very specific environment,compared to office IT. Where office IT systems are quite comparable, this is notnecessary the case when comparing one PCN with the other. However, the way inwhich monitoring should be implemented in PCNs is quite comparable to office IT;there should be a log of which person accessed what device and this access logshould be monitored and correlated to business need. Logging access to all PCNcomponents may not be possible; however, a general IT security frameworkshould provide the proper guidance for implementing compensating controls. Anexample of a compensating control for the lack of logging facilities of a PCNcomponent might be logging access to a single point of access to the PCN (e.g.stepping stone).At this moment a distinction has been made between what we feel are specificPCN related risks which can and which can’t be addressed by a general IT securityframework. We will continue our discussion of those risks which can’t beaddressed by a general IT security framework and are specific to PCNs. For atreatment of general IT security risks (and a general IT security framework), wewould like to refer to the Appendix.Process Control Network Security Page 36
7.3 Specific risks for PCNs7.3.1 Unsupported systemsImportant characteristics of unsupported systems are that these systems, whichare old in some respects, can’t be changed easily but are needed for operation.Because updating is hard or impossible (not supported by vendor anymore, e.g.Windows NT4), a solution could be to implement additional or compensatingmeasures. For instance, suppose the risk exists that communication betweenunsupported systems can be tampered with. Compensating measures outside ofthe system, such as isolating the PCN would not require changes to the PCNcomponents itself. An example to clarify a potential compensating control couldbe: employing a secure medium such as VPN, which makes sure that in transitcommunication can’t be tampered with (from end to end). Such a solution wouldrequire no change to the unsupported systems (if all other communicationpossibilities would be disabled) but would require a new implementation (orencapsulation by a newer system) which encodes communications onto thesecure channel and decodes communications of the secure channel into areadable format again.1 - Comparison with CIP (NERC)No information was found within the CIP standards [CIP001-1-CIP009-1] toaddress how to deal with old or unsupported systems.2 - Comparison with Good Practice Guide Process Control and SCADA Security,NISCCIn the NISCC good practice guide, unsupported systems are mentioned within theoverview. However, they are not mentioned further within the guide.3 - Comparison with Special Publication 800-53 Revision 3, NISTNIST 800-53 describes that a gap analysis needs to be performed forunsupported systems to determine the types of threats an organization canreasonably expect to counter. In addition, control SA-8 Security EngineeringPrinciples, describes that “For unsupported information systems, the organizationapplies security engineering principles to system upgrades and modifications, tothe extent feasible, given the current state of the hardware, software, andfirmware components within the system.” This is a statement which says not a lotmore than to behave in a flexible way regarding unsupported systems.7.3.1.1 SummaryThe table below summarizes the applicable controls from each of the availableframeworks. We do not feel any framework addresses the risk for unsupportedsystems in a way which would not have been obvious from a general framework.Category CIP NISCC NIST 800-53Unsupported systemsinsufficientlyaddressedinsufficientlyaddressedSA-87.3.2 Increased interconnectivityBecause PCNs are increasingly connected to the office-IT network, we believethat filters need to be implemented on all interfaces between the PCN and allconnecting non-PCN networks. Firewalls can play an important role for thisProcess Control Network Security Page 37
Page 1 and 2: Process Control Network SecurityCom
Page 3 and 4: Table of ContentsPreface ..........
Page 5 and 6: 1 Introduction1.1 IntroductionFor t
Page 7 and 8: 2 Research ApproachThis chapter wil
Page 9 and 10: The relationship between CIA and ST
Page 11 and 12: The picture below shows some typica
Page 13 and 14: 3.4 Communication Topology (past vs
Page 15 and 16: 4 PCNs vs. Office IT4.1 Introductio
Page 17 and 18: The differences mentioned above and
Page 19 and 20: As a result, access controls design
Page 21 and 22: - unpatched machines within the PCN
Page 23 and 24: In addition, the scale on which cyb
Page 25 and 26: The list below presents examples of
Page 27 and 28: SpoofingidentityTamperingwith dataR
Page 30 and 31: SpoofingidentityTamperingwith dataR
Page 32 and 33: does hardly take place. Unauthorize
Page 34 and 35: The US department for Homeland Secu
Page 38 and 39: functionality. These firewalls shou
Page 40 and 41: NIST 800-53 control AC-2 describes
Page 42 and 43: 1 Unsupported systemsThe following
Page 44 and 45: CategoryControlIncreasedinterconnec
Page 46 and 47: CategoryControlcomponents.4.5 In si
Page 48 and 49: 2 Increased interconnectivity (e.g.
Page 50 and 51: 9 ReflectionDuring the writing of t
Page 52 and 53: [GIA09][GOOD08][ITIL09][MCA09][MS09
Page 54 and 55: [TEN09][THER01]SCADA plugins for Ne
Page 56 and 57: I.2.1.4 SummaryThe table below summ
Page 58 and 59: Shared resourcesinsufficientlyaddre
Page 60 and 61: where it is stored. If an unauthori
Page 62 and 63: Replay attacks:A replay attack is a
Page 64 and 65: TCP/IP:The TCP/IP model is a descri

Process Control Network Security

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?